User authentication using techniques such as passwords, one time passwords (OTPs), hardware or software smartcards, etc., have all proven to be either too weak and susceptible to man in the middle (MITM) or man in the browser (MITB) attacks, or else have proven too cumbersome and expensive. The use of single sign on techniques such as OpenID, FaceBook Connect, etc., only make the problem worse as once the attacker has compromised the master account they can now break into all other accounts that rely on that initial login. Further, the focus of attackers has shifted from trying to break the login process to using sophisticated techniques to come in after the act of login and to attack the transactions being performed. This has made transaction authentication, the act of confirming if the transaction seen at the back end web server is identical to that intended by the user, even more important.
Out-of-band authentication (OOBA), a technique by which a transaction is relayed to the user, and confirmation obtained, using an alternate form of communication, for instance by placing a voice phone call or a text message, is a promising alternative, but is also to inconvenient and costly to be used very often. It might be useful for the highest value transactions, or rare events like password resets, but using it for large numbers of transactions is too costly and cumbersome.
Recently, an innovative new authentication system and protocol has been developed to address some of these problems. Specifically, a system and protocol, commonly referred to as “2CHK”, can provide a user with an OTP to enable login into a website (i.e. authentication of the user to the website) or to electronically sign a transaction entered into with a website, based on a secret shared between the website and the security server. Of particular utility is the fact that 2CHK provides the security of one time passwords, but does not require a per user shared secret which all prior OTP systems and protocols have required.
It is common when users browse an eCommerce website, such as a merchant, bank or broker website, for them to see Payment Buttons such as that provided by PayPal. When the user clicks on that payment functionality, the user is typically interacting directly with the payment provider. This means the user does not reveal their credentials for authenticating to the payment provider to the eCommerce site. This is an important feature that is no longer available when a user is interacting with the eCommerce site using a smart phone app the website provides. Thus, 2CHK can be implemented using a separate secure client application, commonly referred to as the “2CHK client”, which has an independent secure communication channel to a back end authentication server. The 2CHK client can be implemented as dedicated software on a computing device, or as a browser based application, or as an application on a mobile communications device, including a smart phone, such as an IPhone.
For example, the 2CHK client can be used to show user transactions either to inform the user of the transaction, allow the user to confirm/deny the transaction and/or provide the user with a transaction signature, i.e. an OTP, which he/she can use in another application, such as a merchant or bank website application, to sign off on the transaction. Furthermore, the 2CHK client can also provide the user with an OTP that can be used to login to different websites or other applications. Depending on the implementation, 2CHK can use either of two distinct methods for generating such OTPs. One in which the OTP is provided by the authentication server, and the other in which the 2CHK client is “seeded” during activation so it can then generate OTPs without any connection to the backend authentication server.
The profusion of smart phones has resulted in the coming to market of adjunct pieces of hardware that can attach to the smart phones using various interfaces. Much like one can attach a printer to a computer using a USB port and/or cable, one can also attach devices to smart phones using for instance the ubiquitous headphone jack. Thus, the 2CHK client has been adapted to execute on such adjunct hardware and thereby provide for efficient and secure login authentication and transaction authorization using plug-in hardware compatible with smart mobile communication devices and Internet connectable personal computing devices.